Security Researcher Chris Vickery was accused of unethical hacking after he discovered an exposed database containing sensitive information that belonged to uKnowKids.com, an Arlington, Va.-based company that helps parents monitor their children’s online activities.
How many victims? 1,700
What type of information? The database contained full names, email addresses, GPS coordinates, dates of birth, 6.8 million private text messages, and 1.8 million images. It also contained Facebook, Twitter, and Instagram account details as well as business data, trade secrets, and proprietary algorithms.
What happened? Vickery discovered the database had been exposed for approximately 48 days due to a misconfigured MongoDB installation. Vickery said he was able to access the information in the database without a password. uKnow, the parent company of uKnowKids, said that two IP addresses repeatedly obtained unauthorized access to the database over the course of 26 hours between Feb. 16 and 17. The company believed that both IP addresses belong to Vickery but has yet to confirm. In addition, two more IP addresses that were traced to “credible organizations” also discovered the database but didn’t explore its contents.
What was the response? The database was secured within 90 minutes of Vickery notifying the company. uKnow initiated an exhaustive forensics analysis and has hired two external, third-party security firms to proactively attempt to breach their systems on an ongoing and continuous fashion. The company is updating its existing internal security policy and frameworks and the Federal Trade Commission (FTC) has been notified of the incident.
Details? uKnow said that Vickery’s work was helpful but said they don’t approve of his methods because it puts customer data and intellectual property at risk. uKnow demanded that Vickery delete all copies of the uKnow database to which he claims to have done but he reportedly has retained screenshots of some of the information.
Quote: “We have been locking down on the facts over the last few days with a forensics analysis of ALL uKnow systems, and we plan to disclose ALL of the relevant facts to our customers, the media, and the appropriate legal authorities as soon as we are confident that our facts are 100% accurate,” uKnow and uKnowKids Chief Executive Officer Steve Woda said in a Feb. 22 press release.
“The lesson to learn here is that, if you’re a parent, be wary of services that offer to monitor your child’s online behavior. These services collect unnerving amounts of data on your child and, when a breach occurs, all of that data can be exposed to untold numbers of people,” Vickery told the security news site SaltedHash.